I see the class-default is hidden, but when I do the command below, they show up. Still no success though, it seems the class-map http is not even getting hits. All protocols are allowed at this point. Any ideas?

news2010a · ‎10-01-2013

Hello, I configured the zone based firewall as shown below (it is a C2811 router).

Topology is:

Webserver(IP:10.2.0.100)----layer2switch----(fa0/0 IP:10.2.0.1) C2811 (fa0/1:10.4.0.1) ------------layer2switch---------clientPC(IP:10.4.0.4)

Behavior:
Before applying class-map, I could ping webserver to clientPC and vice versa OK.

Issue:
I applied the config as below. I was expecting that only http traffic would go through the zonefw.

Instead, all traffic continues to flow normally. What is wrong?

hostname zonefw

no ip domain-lookup

!

class-map type inspect match-all http

match protocol http

!

policy-map type inspect http

class type inspect http

inspect

!

zone security internal

zone security external

zone-pair security myinbound source external destination internal

service-policy type inspect http

zone-pair security myoutbound source internal destination external

service-policy type inspect http

!

interface FastEthernet0/0

ip address 10.2.0.1 255.254.0.0

zone-member security internal

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 10.4.0.1 255.254.0.0

zone-member security external

duplex auto

speed auto

!

interface Vlan1

no ip address

shutdown

!

ip classless

!

Marvin Rhoads · ‎10-03-2013

You did not configure (or did you remove intentionally?) a class class-default. This is used by the firewall to drop (default behavior) and traffic not matching the earlier referenced class(es).

Reference.

news2010a · ‎10-03-2013

I see the class-default is hidden, but when I do the command below, they show up. Still no success though, it seems the class-map http is not even getting hits. All protocols are allowed at this point. Any ideas?

zonefw#sh policy-map type inspect zone-pair sessions
Zone-pair: external-internal

Service-policy inspect : http

    Class-map: http (match-all)
      Match: protocol http
      Inspect
    Class-map: class-default (match-any)
      Match: any
      Drop (default action)
        0 packets, 0 bytes
Zone-pair: internal-external

Service-policy inspect : http

    Class-map: http (match-all)
      Match: protocol http
      Inspect
    Class-map: class-default (match-any)
      Match: any
      Drop (default action)
        0 packets, 0 bytes

Marvin Rhoads · ‎10-04-2013

That does look odd. You do have the prerequisite security license, yes?

Basic Zone Firewall not working

I see the class-default is hidden, but when I do the command below, they show up. Still no success though, it seems the class-map http is not even getting hits. All protocols are allowed at this point. Any ideas?